Lucene search
+L

859 matches found

EUVD
EUVD
added 2026/04/22 9:31 a.m.5 views

EUVD-2026-24680

The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the computepost function, which processes settings updates. The computepost function is...

4.3CVSS5.7AI score0.00165EPSS
Exploits0References8
CVE
CVE
added 2026/04/22 9:27 a.m.14 views

CVE-2026-1930

The WordPress Emailchef plugin (versions up to 3.5.1) is vulnerable due to a missing capability check in page_options_ajax_disconnect(). This allows authenticated attackers with Subscriber-level access and higher to delete the plugin’s settings via the emailchef_disconnect AJAX action, exposing d...

4.3CVSS5.7AI score0.00261EPSS
Exploits0References6
NVD
NVD
added 2026/04/22 9:16 a.m.6 views

CVE-2026-4131

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

6.1CVSS0.00181EPSS
Exploits0References11
NVD
NVD
added 2026/04/22 9:16 a.m.6 views

CVE-2026-4118

The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cboxoptionspage function which handles saving, creating, and deleting plugin settings. The form rendered on the...

4.3CVSS0.00208EPSS
Exploits0References9
CVE
CVE
added 2026/04/22 7:45 a.m.9 views

CVE-2026-4139

The CVE-2026-4139 case concerns the WordPress mCatFilter plugin (versions

4.3CVSS5.7AI score0.00165EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.5 views

CVE-2026-4118

The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cboxoptionspage function which handles saving, creating, and deleting plugin settings. The form rendered on the...

4.3CVSS5.7AI score0.00208EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.2 views

CVE-2026-6041 Buzz Comments <= 0.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Buzz Avatar' Setting

The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

4.4CVSS5.9AI score0.0025EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.11 views

WordPress plugin Call To Action Plugin 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.7AI score0.00208EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.10 views

WordPress plugin Emailchef 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.8AI score0.00261EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.9 views

WordPress plugin WP Responsive Popup + Optin 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.1CVSS5.8AI score0.00181EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/21 6:43 a.m.4 views

CVE-2026-6703

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticat...

4.3CVSS5.7AI score0.0023EPSS
Exploits0References9Affected Software1
Patchstack
Patchstack
added 2026/04/16 10:49 a.m.6 views

WordPress Livemesh Addons by Elementor plugin <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Livemesh Addons for Elementor versions = 9.0...

6.4CVSS5.8AI score0.00322EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/04/16 6:44 a.m.15 views

CVE-2026-1572

CVE-2026-1572 affects Livemesh Addons for Elementor (WordPress). All versions up to 9.0 are vulnerable due to missing authorization checks on AJAX handler lae_admin_ajax() and insufficient output escaping across multiple checkbox settings fields. This enables authenticated users with Subscriber-l...

6.4CVSS5.9AI score0.00322EPSS
Exploits0References9
Patchstack
Patchstack
added 2026/04/14 3:38 a.m.9 views

WordPress WholeSale Products Dynamic Pricing Management WooCommerce plugin <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin WholeSale Products Dynamic Pricing Management WooCommerce versions = 1.2...

4.4CVSS5.8AI score0.00157EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/04/14 3:37 a.m.35 views

CVE-2026-4479 WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS0.00157EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/04/10 12:11 a.m.5 views

WordPress Aruba HiSpeed Cache plugin <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset vulnerability

Cross-Site Request Forgery to Plugin Settings Reset vulnerability discovered by Legion Hunter in WordPress Plugin Aruba HiSpeed Cache versions = 3.0.4...

4.3CVSS5.9AI score0.00181EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/09 2:25 a.m.2 views

CVE-2026-3574 Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting

The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight' in all versions...

4.4CVSS6AI score0.00207EPSS
Exploits0References6
CVE
CVE
added 2026/04/08 3:36 a.m.11 views

CVE-2026-3646

The CVE concerns the WordPress plugin LTL Freight Quotes – R+L Carriers Edition (versions up to and including 3.3.13). A standalone PHP webhook handler processes GET parameters without proper authentication, authorization, or nonce verification, allowing unauthenticated attackers to modify subscr...

5.3CVSS5.9AI score0.00385EPSS
Exploits0References14
RedhatCVE
RedhatCVE
added 2026/04/01 11:0 p.m.5 views

CVE-2026-34394

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/01 5:3 p.m.6 views

CVE-2026-3191

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minifyhtmlmenuoptions' function. This makes it possible for unauthenticated attackers to update plugin settin...

5.4CVSS5.8AI score0.00154EPSS
Exploits0References1
Rows per page
Query Builder